Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getprimo.com/llms.txt

Use this file to discover all available pages before exploring further.

Platform compatibility

macOSWindowsLinuxiOS / iPadOSAndroid

Set up app blocking

1

Choose your enforcement mode

  • Monitor: executions of binaries not covered by a rule are allowed. Use this mode to block specific applications while letting everything else run.
  • Lockdown: executions of binaries not covered by a rule are blocked. Use this mode to permit only an explicit list of approved applications.
  • Standalone: executions of binaries not covered by a rule trigger an authorization dialog, letting the user approve the application themselves.
2

Add applications

Add applications by their bundle identifier (e.g. com.spotify.client) or executable name.
To find an application’s bundle identifier on macOS, run the following command in Terminal:osascript -e 'id of app "AppName"'
3

Save and apply

Save and apply the control to the relevant device group.

Modify or remove the control

Disable the control from the profile settings. Disabling stops enforcement but does not remove existing configurations from devices.

How it works

This control is powered by Santa, an open-source macOS security agent developed by Google. Santa intercepts every binary execution request and evaluates it against the configured rules before allowing or denying it. In Monitor mode, Santa terminates only binaries matching a block rule. In Lockdown mode, Santa terminates any binary without an explicit allow rule. In Standalone mode, binaries without a rule prompt the user for authorization before launching. When Santa blocks an application, it terminates the process and shows a system notification explaining that the application is not permitted. The control enforces rules continuously — if a user installs an unapproved application after you apply the control, Santa evaluates it the next time the user attempts to launch it.

Troubleshooting

An allowed application is being blocked
  • Double-check the bundle identifier for typos — identifiers are case-sensitive.
  • Confirm the control is targeting the correct device group.
  • Re-check the enforcement mode: in Lockdown, applications without an allow rule are blocked by default. Either switch to Monitor, or add the application to your allow rules.
A blocked application is still running
  • The policy is applied at launch time. If the application was already open when the policy was deployed, restart the device or ask the user to quit and reopen the application.